Custom RBAC roles in Azure
Azure role-based access control (Azure RBAC) is a system that provides fine-grained access management of Azure resources. Using Azure RBAC, you can segregate duties within your team and grant only the amount of access to users that they need to perform their jobs.
Azure role-based access control (Azure RBAC) comes with several built-in roles that you can assign to users, groups, service principals, and managed identities. To get a current list of in-built roles, use Get-AzRoleDefinition (Powershell) or az role definition list. (az cli)
Recently one of my customers approached me to find out if there’s a way to attach an IAM role to take managed disk snapshots in Azure. Upon further investigation, I realized there isn’t an in-built RBAC role. If the built-in roles don’t meet the specific needs of your organization, you can create your own Azure custom roles. Just like built-in roles, you can assign custom roles to users, groups, and service principals at subscription and resource group scopes.
Steps to create Custom RBAC roles in Azure
- To create custom roles, you need to have “Owner” or “User Administrator” privileges.
- Go to your resource group and click on Access Control (IAM)
- In the right pane, click on +Add , Add custom role
4. Name the custom role, description and clone a role from one of the existing inbuilt role. In this case I’m cloning from Virtual Machine Contributor
5. In the Permissions tab, Click on + Add Permissions, Select Microsoft Compute
6. Select snapshot related permissions and remove the rest
7. Select the Assigned Scope. In this case your target resource group
8. Finally Create the custom role
9. Assign this custom role to a user or group
Now you can use this user to take Azure managed disk snapshots using az CLI, REST APIs etc.. In this blog, I have demonstrated the creation of custom roles from Azure Portal. You can also create custom roles from Azure CLI, PowerShell.
References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles